Privacy Policy

Privacy, Consent and Confidentiality Policy

Purpose

In accordance with the Privacy Act 1988 and The Privacy Amendment Act 2012 which sets out the 13 Australian Privacy Principles, and state specific health records Acts, Nextt is required to maintain appropriate collection, storage, retention, disclosure and disposal of information.

Nextt takes its obligations under legislation seriously and will seek to take all reasonable steps in order to comply with those Acts to protect the privacy of the personal and health information that we hold. This policy sets out how we intend to do so. Where any difference exists between several pieces of legislation, the legislation with the strongest application is to be applied across all services in all states.

Scope

This policy applies to client consent requirements, the collection of information, use and disclosure of information and storage of information relating to Nextt clients, employees and contractors. It also applies to commercial and financial information. This Policy applies to all Nextt services, business functions and employees.

Definitions

Sensitive Information is information or opinion on an individual’s:

health record information

genetic information where it is not part of the health record information

racial or ethnic origin

political opinion or membership

religious beliefs

philosophical beliefs

sexual preference or practice/s

criminal record

membership of a professional or trade association or trade union.

Identity– which means that despite a person having the right to deal with an entity anonymously or pseudonymously, given the duty of care that Nextt has as its primary function to its clients’ health, wellbeing and safety, that right is inappropriate resulting in the need for Proof of Identity to be adequate and acceptable.

Responsibilities

All Nextt employees must comply with this policy.

Policy

For Nextt to provide services, all clients or their legal representative must sign either the consent section of service agreement or individual consent form. This form/consent section of the signed contract will be stored on our internal record management system and updated annually or more frequently if required.

Collection of Information

Nextt collects and retains relevant information relating to employees and clients that will always be for one or more of our functions or purposes

only be collected by lawful and fair means

will not be collected in an unreasonably intrusive way

only be collected in accordance with any other requirement under the relevant Australian Privacy Principles.

This includes whenever such information is unable to be collected from the individual due to their level of impairment and is therefore required to be collected from a third party.

Nextt collects personal and/or sensitive information for several different primary purposes which have been identified as follows:

To assess and provide support services to clients

To consider all interested persons, being employment candidates, for any employment opportunities that arise

To ensure all employees’/clients health needs are met within the duty of care responsibilities required

Use and Disclosure

Nextt will only use and disclose information for the primary purpose for which it was collected, or for a secondary purpose when it can be demonstrated that it is directly relevant to the primary purpose.

Generally this will mean

The individual will have a reasonable expectation that Nextt may use and/or disclose such information for the secondary purpose, or

The individual, or if unable, their authorised or legal representative, has given consent, or

Such use and/or disclosure is required, authorised or permitted under law or for lawful action, or for the prevention of unlawful activity, or

The use and/or disclosure is for statistical purposes, but this will exclude “Sensitive Information”, or

The use and/or disclosure is necessary to lessen or prevent a serious and imminent threat to the life, health, safety or welfare of an individual or the public, or

The disclosure to an immediate family member is necessary to provide appropriate health services to, or care of, the individual, or for compassionate reasons.

Nextt may request the use of client images and/or name for promotional purposes but Nextt will only do this if the client has consented to this using the appropriate consent form. Completed consent forms will be stored in CareLink (CRM system)

Data Quality

Nextt will take all reasonable steps to ensure the personal and sensitive information it collects, uses, holds and discloses is accurate complete, up to date, and relevant. Accordingly, Nextt has developed procedures to

Verify accuracy and completeness of personal and/or health information when collected

Maintain the currency and relevance of the personal and health information it holds

Respond to requests by an individual for personal information records or to correct inaccurate, out-dated, incomplete, irrelevant or misleading personal information within 30 days.

Data Security and Data Retention

Nextt will take reasonable steps to ensure the personal and sensitive information we hold is protected from misuse and loss, and from unauthorised access, modification or disclosure.

We will do this through:

Provision and use of lockable storage facilities for sensitive paper-based records, including within and out of Nextt premises

Provision and use of appropriate security measures for electronic records, including firewall and password protection

All employees sign a confidentiality agreement upon commencement with Nextt

Maintenance of appropriate physical security measures for all sites

Ongoing training on keeping information secure when working in the community

Restricting employee access to personal and health information on “need to know” basis.

Nextt will also take reasonable steps to ensure that personal information it holds, which is no longer required, is destroyed or de-identified in a secure manner.

Generally this means:

The deletion is permitted, authorised or required by law, or

If not prevented by law, the individual to whom the health information relates is over the age of 25, if collected whilst they were a child, or

More than 7 years have lapsed since the individual was last provided with service.

Openness

Nextt will be open in how it manages the personal and sensitive information it collects. It will do so by having this publicly available statement setting out how personal and sensitive information is handled.

Access and Correction

Upon request, Nextt will provide individuals with access to their own personal and/or sensitive information, unless one of the exceptions which requires or allows access to be refused, as set-out in the respective Privacy Principles is exercised.

Such exceptions apply generally as follows:

Providing access would pose a serious threat to the life or health of any individual

Providing access would have an unreasonable impact on the privacy of another individual

For personal information, the request for information is frivolous or vexatious

For health information, the request is unreasonable and repeated, with access to the same information having previously been provided

There are considerations with regard to legal proceedings which are underway, being investigated or anticipated

Providing access would be unlawful

A non-Australian entity has not given adequate reason for access and/or the non-Australian entity has not convinced Nextt of its ability to not breach the Australian Privacy Principles.

Any request for access made to Nextt is to be made in writing as requests are to be stored.

Individuals requesting access will be required to establish their identity, and if a third party, legally able to request access on behalf of another individual, the bona fides of their right to be provided with access.

For requests for access to personal information, access will be provided within 14 days for simple requests and 30 days for more complicated requests. For requests for access of sensitive information, access will be provided within 30 days. If a request for access is refused, the individual will be advised in writing and the same timeframes will apply.

Once the correct identity has been established, the information can be viewed onsite or provided as a photocopy for the individual to take.

For access to sensitive information, the individual may request the way in which they wish access to be provided. Nextt will endeavour to provide access in the way requested, whenever reasonably possible and will be able to charge a reasonable fee to facilitate this however will not be able to charge for the request for access.

Requests for access or correction of personal or sensitive information are to be made to:

[email protected]

Sensitive Information

Nextt will not seek to collect sensitive information unless there is a requirement to collect such information and, generally

The individual has consented to such collection, or

The collection is required by law, or

The collection is necessary to prevent or lessen a serious and imminent threat to the life or health of an individual.

Making Information Available to Another Service Provider

If an individual requests Nextt to make any information about them available to another service provider, or authorises another service provider to request from Nextt, we will provide a copy or written summary of that information (see guidelines below for additional information).

Where that service provider is an entity that is not Australian, then Nextt will take all reasonable steps to ensure the Acts and Principles referred to in this Policy will be maintained, because Nextt will be accountable if Australian Privacy Principle breaches occur.

Sharing Client Information with External Supports

Clients may be receiving supports from external providers or practitioner that require information and data around aspects of the client’s life to complete assessments, reports or coordinate services.

If the client or their legal guardian has provided consent for the sharing of information, we should provide the external supports with the necessary information provided, with considerations as detailed.

Considerations for information sharing:

Ensure documented consent to share has been obtained from client/legal guardian.

Only share information that is relevant and necessary to the piece of work the external support is completing.

Support workers and line managers should not be entering shift notes of other data onto external providers systems. Information should be collected as per Nextt requirements i.e., Carelink shift notes, data recording sheets (either electronic or hard copy) and shared with the external provider.

If the external provider requires specific information or requests data in a specific format (i.e., electronic survey or form), line manager should work with provider to fulfil the requirements using Nextt data storage systems and process.

Any concerns or issues regarding the data collection and information sharing methods raised by the external provider should be escalated to management should the issue not be resolved.

Sensitive and internal information should not be shared with external providers without approval from relevant RSMD or other senior management. This may include information such as complaints, investigations, detailed incident reports (summaries are appropriate in the context of providers such as behaviour support practitioners) and reportable incidents.

Complaint Resolution

Should an individual, or their authorised or legal representative, have a complaint regarding our privacy practices or wish to make a complaint about how their personal information has been managed, they should in the first instance contact our Regional Manager Quality and Risk.

Any complaints received will be handled in accordance with our Complaints Policy. In short, this requires an acknowledgement to the complainant within three days for investigation and complaints will be resolved to the satisfaction of the complainant within 21 business days of receipt of the complaint. Where the client (consumer) is not satisfied with our response and proposed resolution of the matter, they must be advised to contact the Office of the Australian Information Commissioner to have the matter further considered.

Procedures for Identifying and Reporting Privacy Breaches

All suspected or confirmed attempts at access by unauthorised staff or third party entities will be tracked and reported to the Chief Information Officer or in that person’s absence, one of the Executive Committee (bearing in mind Conflict of Interest provisions of Nextt). Where unauthorised staff of Nextt are involved, a meeting will be held with the staff member/s to ascertain the reasons/purpose of the access with appropriate actions to be taken by management. Where unauthorised access was attempted or instigated by third party entities, our security procedures will be examined to secure our system from any future breaches (see below “Continuous Improvement”).

Continuous Improvement

If you experience an issue regarding this Policy that you are certain will provide more clarity (for staff or Clients who are known as Consumers) or efficient processes or security of information then please escalate the suggestion/s to your Manager for the Staff Suggestion Register.

Records and Audits

Requests for information, completed consent forms, or written notification of withdrawal of consent will be stored in the relevant client or employee file.

Internal and External Audits will occur from time to time to ensure Nextt is complying with the Australian Privacy Principles. The Nextt Executive Committee will receive a briefing of these audits.

Should a breach occur, the escalation of such matters (Incidents) will be brought to the immediate attention of the Nextt Executive Committee together with proposed remedial action.